sudo nmap -p 22 192.168.0.0/24
Renewing SSL certificates (Expires every 90 days)
#/usr/bin/env bash\n\nexport CLOUDFLARE_DNS_API_TOKEN=XXXXXXXX\n\nlego \\ \n--email email@domain.com \\ \n--dns cloudflare \\ \n--domains \"domain.com\" \\ \n--domains \"*.domain.com\" \\ \n--domains \"*.dev.domain.com\" run\n\nls .lego/certificates/\nCopy .crt and .key to Caddy, HAProxy, Nginx config directory.
sudo chown caddy *.crt sudo chown caddy *.key
lego
"},{"location":"infrastructure/networking/certificates/#creating-pem-file-for-haproxy-octoprint","title":"Creating pem file for haproxy (octoprint)","text":"cat domain.com.crt domain.com.key > combined.pem\nDocs
nebula-cert sign -name $HOSTNAME -ip \"192.168.100.XX/24\" -groups \"$HOSTNAME,$GROUPNAME\"\nCopy config files generated above onto client machines to /etc/nebula
DO NOT COPY ca.key
/etc/nebula/
ca.crtconfig.yamloctoprint.crtoctoprint.key$LIGHTHOUSE_PUBLIC_IP$HOSTNAME$GROUPNAME# This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections\n# Some options in this file are HUPable, including the pki section. (A HUP will reload credentials from disk without affecting existing tunnels)\n\n# PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml \": |\" syntax.\npki:\n# The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'\nca: /etc/nebula/ca.crt\ncert: /etc/nebula/$HOSTNAME.crt\nkey: /etc/nebula/$HOSTNAME.key\n# blocklist is a list of certificate fingerprints that we will refuse to talk to\n#blocklist:\n# - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72\n# disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid.\n#disconnect_invalid: false\n\n# The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).\n# A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.\n# The syntax is:\n# \"{nebula ip}\": [\"{routable ip/dns name}:{routable port}\"]\n# Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4242:\nstatic_host_map:\n\"192.168.100.1\": [\"$LIGHTHOUSE_PUBLIC_IP:4242\"]\n\n\nlighthouse:\n# am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes\n# you have configured to be lighthouses in your network\nam_lighthouse: false\n# serve_dns optionally starts a dns listener that responds to various queries and can even be\n# delegated to for resolution\n#serve_dns: false\n#dns:\n# The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.\n#host: 0.0.0.0\n#port: 53\n# interval is the number of seconds between updates from this node to a lighthouse.\n# during updates, a node sends information about its current IP addresses to each node.\ninterval: 60\n# hosts is a list of lighthouse hosts this node should report to and query from\n# IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES\n# IMPORTANT2: THIS SHOULD BE LIGHTHOUSES' NEBULA IPs, NOT LIGHTHOUSES' REAL ROUTABLE IPs\nhosts:\n- \"192.168.100.1\"\n\n# remote_allow_list allows you to control ip ranges that this node will\n# consider when handshaking to another node. By default, any remote IPs are\n# allowed. You can provide CIDRs here with `true` to allow and `false` to\n# deny. The most specific CIDR rule applies to each remote. If all rules are\n# \"allow\", the default will be \"deny\", and vice-versa. If both \"allow\" and\n# \"deny\" IPv4 rules are present, then you MUST set a rule for \"0.0.0.0/0\" as\n# the default. Similarly if both \"allow\" and \"deny\" IPv6 rules are present,\n# then you MUST set a rule for \"::/0\" as the default.\n#remote_allow_list:\n# Example to block IPs from this subnet from being used for remote IPs.\n#\"172.16.0.0/12\": false\n\n# A more complicated example, allow public IPs but only private IPs from a specific subnet\n#\"0.0.0.0/0\": true\n#\"10.0.0.0/8\": false\n#\"10.42.42.0/24\": true\n\n# EXPERIMENTAL: This option may change or disappear in the future.\n# Optionally allows the definition of remote_allow_list blocks\n# specific to an inside VPN IP CIDR.\n#remote_allow_ranges:\n# This rule would only allow only private IPs for this VPN range\n#\"10.42.42.0/24\":\n#\"192.168.0.0/16\": true\n\n# local_allow_list allows you to filter which local IP addresses we advertise\n# to the lighthouses. This uses the same logic as `remote_allow_list`, but\n# additionally, you can specify an `interfaces` map of regular expressions\n# to match against interface names. The regexp must match the entire name.\n# All interface rules must be either true or false (and the default will be\n# the inverse). CIDR rules are matched after interface name rules.\n# Default is all local IP addresses.\n#local_allow_list:\n# Example to block tun0 and all docker interfaces.\n#interfaces:\n#tun0: false\n#'docker.*': false\n# Example to only advertise this subnet to the lighthouse.\n#\"10.0.0.0/8\": true\n\n# advertise_addrs are routable addresses that will be included along with discovered addresses to report to the\n# lighthouse, the format is \"ip:port\". `port` can be `0`, in which case the actual listening port will be used in its\n# place, useful if `listen.port` is set to 0.\n# This option is mainly useful when there are static ip addresses the host can be reached at that nebula can not\n# typically discover on its own. Examples being port forwarding or multiple paths to the internet.\n#advertise_addrs:\n#- \"1.1.1.1:4242\"\n#- \"1.2.3.4:0\" # port will be replaced with the real listening port\n\n# EXPERIMENTAL: This option may change or disappear in the future.\n# This setting allows us to \"guess\" what the remote might be for a host\n# while we wait for the lighthouse response.\n#calculated_remotes:\n# For any Nebula IPs in 10.0.10.0/24, this will apply the mask and add\n# the calculated IP as an initial remote (while we wait for the response\n# from the lighthouse). Both CIDRs must have the same mask size.\n# For example, Nebula IP 10.0.10.123 will have a calculated remote of\n# 192.168.1.123\n#10.0.10.0/24:\n#- mask: 192.168.1.0/24\n# port: 4242\n\n# Port Nebula will be listening on. The default here is 4242. For a lighthouse node, the port should be defined,\n# however using port 0 will dynamically assign a port and is recommended for roaming nodes.\nlisten:\n# To listen on both any ipv4 and ipv6 use \"::\"\nhost: 0.0.0.0\nport: 4242\n# Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)\n# default is 64, does not support reload\n#batch: 64\n# Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel\n# Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default)\n# Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide\n# max, net.core.rmem_max and net.core.wmem_max\n#read_buffer: 10485760\n#write_buffer: 10485760\n# By default, Nebula replies to packets it has no tunnel for with a \"recv_error\" packet. This packet helps speed up reconnection\n# in the case that Nebula on either side did not shut down cleanly. This response can be abused as a way to discover if Nebula is running\n# on a host though. This option lets you configure if you want to send \"recv_error\" packets always, never, or only to private network remotes.\n# valid values: always, never, private\n# This setting is reloadable.\n#send_recv_error: always\n\n# Routines is the number of thread pairs to run that consume from the tun and UDP queues.\n# Currently, this defaults to 1 which means we have 1 tun queue reader and 1\n# UDP queue reader. Setting this above one will set IFF_MULTI_QUEUE on the tun\n# device and SO_REUSEPORT on the UDP socket to allow multiple queues.\n# This option is only supported on Linux.\n#routines: 1\n\npunchy:\n# Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings\npunch: true\n\n# respond means that a node you are trying to reach will connect back out to you if your hole punching fails\n# this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT\n# Default is false\n#respond: true\n\n# delays a punch response for misbehaving NATs, default is 1 second.\n#delay: 1s\n\n# set the delay before attempting punchy.respond. Default is 5 seconds. respond must be true to take effect.\n#respond_delay: 5s\n\n# Cipher allows you to choose between the available ciphers for your network. Options are chachapoly or aes\n# IMPORTANT: this value must be identical on ALL NODES/LIGHTHOUSES. We do not/will not support use of different ciphers simultaneously!\n#cipher: aes\n\n# Preferred ranges is used to define a hint about the local network ranges, which speeds up discovering the fastest\n# path to a network adjacent nebula node.\n# NOTE: the previous option \"local_range\" only allowed definition of a single range\n# and has been deprecated for \"preferred_ranges\"\n#preferred_ranges: [\"172.16.0.0/24\"]\n\n# sshd can expose informational and administrative functions via ssh this is a\n#sshd:\n# Toggles the feature\n#enabled: true\n# Host and port to listen on, port 22 is not allowed for your safety\n#listen: 127.0.0.1:2222\n# A file containing the ssh host private key to use\n# A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N \"\" < /dev/null\n#host_key: ./ssh_host_ed25519_key\n# A file containing a list of authorized public keys\n#authorized_users:\n#- user: steeeeve\n# keys can be an array of strings or single string\n#keys:\n#- \"ssh public key string\"\n\n# EXPERIMENTAL: relay support for networks that can't establish direct connections.\nrelay:\n# Relays are a list of Nebula IP's that peers can use to relay packets to me.\n# IPs in this list must have am_relay set to true in their configs, otherwise\n# they will reject relay requests.\n#relays:\n#- 192.168.100.1\n#- <other Nebula VPN IPs of hosts used as relays to access me>\n# Set am_relay to true to permit other hosts to list my IP in their relays config. Default false.\nam_relay: false\n# Set use_relays to false to prevent this instance from attempting to establish connections through relays.\n# default true\nuse_relays: true\n\n# Configure the private interface. Note: addr is baked into the nebula certificate\ntun:\n# When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root)\ndisabled: false\n# Name of the device. If not set, a default will be chosen by the OS.\n# For macOS: if set, must be in the form `utun[0-9]+`.\n# For FreeBSD: Required to be set, must be in the form `tun[0-9]+`.\ndev: nebula1\n# Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert\ndrop_local_broadcast: false\n# Toggles forwarding of multicast packets\ndrop_multicast: false\n# Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500\ntx_queue: 500\n# Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic\nmtu: 1300\n\n# Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here\nroutes:\n#- mtu: 8800\n# route: 10.0.0.0/16\n\n# Unsafe routes allows you to route traffic over nebula to non-nebula nodes\n# Unsafe routes should be avoided unless you have hosts/services that cannot run nebula\n# NOTE: The nebula certificate of the \"via\" node *MUST* have the \"route\" defined as a subnet in its certificate\n# `mtu`: will default to tun mtu if this option is not specified\n# `metric`: will default to 0 if this option is not specified\n# `install`: will default to true, controls whether this route is installed in the systems routing table.\nunsafe_routes:\n#- route: 172.16.1.0/24\n# via: 192.168.100.99\n# mtu: 1300\n# metric: 100\n# install: true\n\n# TODO\n# Configure logging level\nlogging:\n# panic, fatal, error, warning, info, or debug. Default is info\nlevel: info\n# json or text formats currently available. Default is text\nformat: text\n# Disable timestamp logging. useful when output is redirected to logging system that already adds timestamps. Default is false\n#disable_timestamp: true\n# timestamp format is specified in Go time format, see:\n# https://golang.org/pkg/time/#pkg-constants\n# default when `format: json`: \"2006-01-02T15:04:05Z07:00\" (RFC3339)\n# default when `format: text`:\n# when TTY attached: seconds since beginning of execution\n# otherwise: \"2006-01-02T15:04:05Z07:00\" (RFC3339)\n# As an example, to log as RFC3339 with millisecond precision, set to:\n#timestamp_format: \"2006-01-02T15:04:05.000Z07:00\"\n\n#stats:\n#type: graphite\n#prefix: nebula\n#protocol: tcp\n#host: 127.0.0.1:9999\n#interval: 10s\n\n#type: prometheus\n#listen: 127.0.0.1:8080\n#path: /metrics\n#namespace: prometheusns\n#subsystem: nebula\n#interval: 10s\n\n# enables counter metrics for meta packets\n# e.g.: `messages.tx.handshake`\n# NOTE: `message.{tx,rx}.recv_error` is always emitted\n#message_metrics: false\n\n# enables detailed counter metrics for lighthouse packets\n# e.g.: `lighthouse.rx.HostQuery`\n#lighthouse_metrics: false\n\n# Handshake Manager Settings\n#handshakes:\n# Handshakes are sent to all known addresses at each interval with a linear backoff,\n# Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout\n# A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out\n#try_interval: 100ms\n#retries: 20\n# trigger_buffer is the size of the buffer channel for quickly sending handshakes\n# after receiving the response for lighthouse queries\n#trigger_buffer: 64\n\n\n# Nebula security group configuration\nfirewall:\n# Action to take when a packet is not allowed by the firewall rules.\n# Can be one of:\n# `drop` (default): silently drop the packet.\n# `reject`: send a reject reply.\n# - For TCP, this will be a RST \"Connection Reset\" packet.\n# - For other protocols, this will be an ICMP port unreachable packet.\noutbound_action: drop\ninbound_action: drop\n\nconntrack:\ntcp_timeout: 12m\nudp_timeout: 3m\ndefault_timeout: 10m\n\n# The firewall is default deny. There is no way to write a deny rule.\n# Rules are comprised of a protocol, port, and one or more of host, group, or CIDR\n# Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr)\n# - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available).\n# code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any`\n# proto: `any`, `tcp`, `udp`, or `icmp`\n# host: `any` or a literal hostname, ie `test-host`\n# group: `any` or a literal group name, ie `default-group`\n# groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass\n# cidr: a CIDR, `0.0.0.0/0` is any.\n# ca_name: An issuing CA name\n# ca_sha: An issuing CA shasum\n\noutbound:\n# Allow all outbound traffic from this node\n- port: any\nproto: any\nhost: any\ngroup: $GROUPNAME\n\ninbound:\n# Allow icmp between any nebula hosts\n- port: any\nproto: icmp\ngroup: $GROUPNAME\n\n- port: 443\nproto: tcp\ngroup: $GROUPNAME\n\n- port: 80\nproto: tcp\ngroup: $GROUPNAME\n\n- port: 22\nproto: tcp\ngroup: $GROUPNAME\n/etc/systemd/system/nebula.service
[Unit]\nDescription=nebula\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nCapabilityBoundingSet=CAP_NET_ADMIN\nAmbientCapabilities=CAP_NET_ADMIN\nExecStart=/snap/nebula/current/bin/nebula -config /etc/nebula/config.yaml\nRestart=always\nRestartSec=1\nUser=pi\nType=simple\n\n[Install]\nWantedBy=multi-user.target\nsudo systemctl enable nebula.servicesudo systemctl start nebula.servicesudo systemctl status nebula.servicejournalctl -xeu nebula.servicesystemd unit file
"},{"location":"infrastructure/networking/vpn/#certificate-renewal","title":"Certificate renewal","text":"nebula-cert sign -name $HOSTNAME -ip \"192.168.100.XX/24\" -groups \"$HOSTNAME,$GROUPNAME\"\nhostname.crt, hostname.key, ca.crt files to clientssudo -s\necho 10 > /sys/class/leds/kbd_backlight/brightness\nabout:config
: Key : : Value : : default : mousewheel.default.delta_multiplier_y 50 100 general.smoothScroll.msdPhysics.regularSpringConstant 100 -- general.smoothScroll.msdPhysics.motionBeginSpringConstant 125 -- general.smoothScroll.msdPhysics.enabled true false general.smoothScroll true false general.autoScroll true false apz.overscroll.enabled true false apz.gtk.kinetic_scroll.enabled false true"},{"location":"reference/fish/","title":"Rename shortcut","text":"Before
$ mv ~/file/path/long/old.md ~/file/path/long/new.md\nAfter
$ mv ~/file/path/long/{old,new}.md\nUse custom ssh key to push
$ GIT_SSH_COMMAND='ssh -i ~/.ssh/custom_key.rsa' git push\nsudo netstat -tulpn | grep :443\n\n# or \nsudo netstat --tcp --udp --listening --program --numeric\nsudo ss -tunl | grep -E \"(State|LISTEN)\"\nBuild and run this wiki
nix build .#container\ndocker load < result\ndocker run -p 80:80 wiki:latest caddy file-server -r /site\n\nOR\n\ndocker run -p 80:80 wiki:latest\nqemu-img create -f qcow2 example.img 80G\nqemu-system-x86_64 -cdrom ./result/iso/nixos-24.05.20240306.9df3e30-x86_64-linux.iso -drive file=example.img -net nic -net user,hostfwd=tcp::10022-:22 -daemonize -m 8G\nfish shell
eval (ssh-agent -c)\nssh-add ~/.ssh/id_ed25519\nssh $hostname\nssh-add -D # to clear keys\nHandy when needing to make edits to mikrotik router from wifi VLAN by proxying web from Mini over VPN
ssh -D 1337 -q -C -N user@hostname\nsockslocalhost Port 1337Proxy DNS when using SOCKS v5Browsing should now work from laptop but proxied over VPN so I can access router settings
Resources - https://superuser.com/questions/1308495/how-to-create-a-socks-proxy-with-ssh - https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/
"},{"location":"reference/ssh/#tunnel-remote-app-from-remote-host-locally","title":"tunnel remote app from remote host locally","text":"Use this to make edits on syncthing from headless server
ssh -L 8080:localhost:8384 user@hostname/etc/systemd/system/nebula.service
[Unit]\nDescription=nebula\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nCapabilityBoundingSet=CAP_NET_ADMIN\nAmbientCapabilities=CAP_NET_ADMIN\nExecStart=/snap/nebula/current/bin/nebula -config /etc/nebula/config.yaml\nRestart=always\nRestartSec=1\nUser=pi\nType=simple\n\n[Install]\nWantedBy=multi-user.target\nsudo systemctl status servicesudo systemctl enable servicesudo systemctl disable servicesudo systemctl restart servicesudo systemctl start servicesudo systemctl stop servicejournalctl -xeu servicejournalctl --user -xeu service -f | tspinAdd new value to outputs. See wiki or tape-encoder for examples
hydraJobs.\"tester\" = self.defaultPackage;\n/var/lib/bitwarden_rs/*
For full documentation visit mkdocs.org.
"},{"location":"services/wiki/#commands","title":"Commands","text":"mkdocs new [dir-name] - Create a new project.mkdocs serve - Start the live-reloading docs server.mkdocs build - Build the documentation site.mkdocs -h - Print help message and exit.mkdocs.yml # The configuration file.\ndocs/\n index.md # The documentation homepage.\n ... # Other markdown pages, images and other files.\nRenewing SSL certificates (Expires every 90 days)
#/usr/bin/env bash\n\nexport CLOUDFLARE_DNS_API_TOKEN=XXXXXXXX\n\nlego \\ \n--email email@domain.com \\ \n--dns cloudflare \\ \n--domains \"domain.com\" \\ \n--domains \"*.domain.com\" \\ \n--domains \"*.dev.domain.com\" run\n\nls .lego/certificates/\nCopy .crt and .key to Caddy, HAProxy, Nginx config directory.
sudo chown caddy *.crt sudo chown caddy *.key
lego
"},{"location":"infrastructure/networking/certificates/#creating-pem-file-for-haproxy-octoprint","title":"Creating pem file for haproxy (octoprint)","text":"cat domain.com.crt domain.com.key > combined.pem\nsudo nmap -p 22 192.168.0.0/24
Docs
nebula-cert sign -name $HOSTNAME -ip \"192.168.100.XX/24\" -groups \"$HOSTNAME,$GROUPNAME\"\nCopy config files generated above onto client machines to /etc/nebula
DO NOT COPY ca.key
/etc/nebula/
ca.crtconfig.yamloctoprint.crtoctoprint.key$LIGHTHOUSE_PUBLIC_IP$HOSTNAME$GROUPNAME# This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections\n# Some options in this file are HUPable, including the pki section. (A HUP will reload credentials from disk without affecting existing tunnels)\n\n# PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml \": |\" syntax.\npki:\n# The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'\nca: /etc/nebula/ca.crt\ncert: /etc/nebula/$HOSTNAME.crt\nkey: /etc/nebula/$HOSTNAME.key\n# blocklist is a list of certificate fingerprints that we will refuse to talk to\n#blocklist:\n# - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72\n# disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid.\n#disconnect_invalid: false\n\n# The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).\n# A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.\n# The syntax is:\n# \"{nebula ip}\": [\"{routable ip/dns name}:{routable port}\"]\n# Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4242:\nstatic_host_map:\n\"192.168.100.1\": [\"$LIGHTHOUSE_PUBLIC_IP:4242\"]\n\n\nlighthouse:\n# am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes\n# you have configured to be lighthouses in your network\nam_lighthouse: false\n# serve_dns optionally starts a dns listener that responds to various queries and can even be\n# delegated to for resolution\n#serve_dns: false\n#dns:\n# The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.\n#host: 0.0.0.0\n#port: 53\n# interval is the number of seconds between updates from this node to a lighthouse.\n# during updates, a node sends information about its current IP addresses to each node.\ninterval: 60\n# hosts is a list of lighthouse hosts this node should report to and query from\n# IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES\n# IMPORTANT2: THIS SHOULD BE LIGHTHOUSES' NEBULA IPs, NOT LIGHTHOUSES' REAL ROUTABLE IPs\nhosts:\n- \"192.168.100.1\"\n\n# remote_allow_list allows you to control ip ranges that this node will\n# consider when handshaking to another node. By default, any remote IPs are\n# allowed. You can provide CIDRs here with `true` to allow and `false` to\n# deny. The most specific CIDR rule applies to each remote. If all rules are\n# \"allow\", the default will be \"deny\", and vice-versa. If both \"allow\" and\n# \"deny\" IPv4 rules are present, then you MUST set a rule for \"0.0.0.0/0\" as\n# the default. Similarly if both \"allow\" and \"deny\" IPv6 rules are present,\n# then you MUST set a rule for \"::/0\" as the default.\n#remote_allow_list:\n# Example to block IPs from this subnet from being used for remote IPs.\n#\"172.16.0.0/12\": false\n\n# A more complicated example, allow public IPs but only private IPs from a specific subnet\n#\"0.0.0.0/0\": true\n#\"10.0.0.0/8\": false\n#\"10.42.42.0/24\": true\n\n# EXPERIMENTAL: This option may change or disappear in the future.\n# Optionally allows the definition of remote_allow_list blocks\n# specific to an inside VPN IP CIDR.\n#remote_allow_ranges:\n# This rule would only allow only private IPs for this VPN range\n#\"10.42.42.0/24\":\n#\"192.168.0.0/16\": true\n\n# local_allow_list allows you to filter which local IP addresses we advertise\n# to the lighthouses. This uses the same logic as `remote_allow_list`, but\n# additionally, you can specify an `interfaces` map of regular expressions\n# to match against interface names. The regexp must match the entire name.\n# All interface rules must be either true or false (and the default will be\n# the inverse). CIDR rules are matched after interface name rules.\n# Default is all local IP addresses.\n#local_allow_list:\n# Example to block tun0 and all docker interfaces.\n#interfaces:\n#tun0: false\n#'docker.*': false\n# Example to only advertise this subnet to the lighthouse.\n#\"10.0.0.0/8\": true\n\n# advertise_addrs are routable addresses that will be included along with discovered addresses to report to the\n# lighthouse, the format is \"ip:port\". `port` can be `0`, in which case the actual listening port will be used in its\n# place, useful if `listen.port` is set to 0.\n# This option is mainly useful when there are static ip addresses the host can be reached at that nebula can not\n# typically discover on its own. Examples being port forwarding or multiple paths to the internet.\n#advertise_addrs:\n#- \"1.1.1.1:4242\"\n#- \"1.2.3.4:0\" # port will be replaced with the real listening port\n\n# EXPERIMENTAL: This option may change or disappear in the future.\n# This setting allows us to \"guess\" what the remote might be for a host\n# while we wait for the lighthouse response.\n#calculated_remotes:\n# For any Nebula IPs in 10.0.10.0/24, this will apply the mask and add\n# the calculated IP as an initial remote (while we wait for the response\n# from the lighthouse). Both CIDRs must have the same mask size.\n# For example, Nebula IP 10.0.10.123 will have a calculated remote of\n# 192.168.1.123\n#10.0.10.0/24:\n#- mask: 192.168.1.0/24\n# port: 4242\n\n# Port Nebula will be listening on. The default here is 4242. For a lighthouse node, the port should be defined,\n# however using port 0 will dynamically assign a port and is recommended for roaming nodes.\nlisten:\n# To listen on both any ipv4 and ipv6 use \"::\"\nhost: 0.0.0.0\nport: 4242\n# Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)\n# default is 64, does not support reload\n#batch: 64\n# Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel\n# Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default)\n# Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide\n# max, net.core.rmem_max and net.core.wmem_max\n#read_buffer: 10485760\n#write_buffer: 10485760\n# By default, Nebula replies to packets it has no tunnel for with a \"recv_error\" packet. This packet helps speed up reconnection\n# in the case that Nebula on either side did not shut down cleanly. This response can be abused as a way to discover if Nebula is running\n# on a host though. This option lets you configure if you want to send \"recv_error\" packets always, never, or only to private network remotes.\n# valid values: always, never, private\n# This setting is reloadable.\n#send_recv_error: always\n\n# Routines is the number of thread pairs to run that consume from the tun and UDP queues.\n# Currently, this defaults to 1 which means we have 1 tun queue reader and 1\n# UDP queue reader. Setting this above one will set IFF_MULTI_QUEUE on the tun\n# device and SO_REUSEPORT on the UDP socket to allow multiple queues.\n# This option is only supported on Linux.\n#routines: 1\n\npunchy:\n# Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings\npunch: true\n\n# respond means that a node you are trying to reach will connect back out to you if your hole punching fails\n# this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT\n# Default is false\n#respond: true\n\n# delays a punch response for misbehaving NATs, default is 1 second.\n#delay: 1s\n\n# set the delay before attempting punchy.respond. Default is 5 seconds. respond must be true to take effect.\n#respond_delay: 5s\n\n# Cipher allows you to choose between the available ciphers for your network. Options are chachapoly or aes\n# IMPORTANT: this value must be identical on ALL NODES/LIGHTHOUSES. We do not/will not support use of different ciphers simultaneously!\n#cipher: aes\n\n# Preferred ranges is used to define a hint about the local network ranges, which speeds up discovering the fastest\n# path to a network adjacent nebula node.\n# NOTE: the previous option \"local_range\" only allowed definition of a single range\n# and has been deprecated for \"preferred_ranges\"\n#preferred_ranges: [\"172.16.0.0/24\"]\n\n# sshd can expose informational and administrative functions via ssh this is a\n#sshd:\n# Toggles the feature\n#enabled: true\n# Host and port to listen on, port 22 is not allowed for your safety\n#listen: 127.0.0.1:2222\n# A file containing the ssh host private key to use\n# A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N \"\" < /dev/null\n#host_key: ./ssh_host_ed25519_key\n# A file containing a list of authorized public keys\n#authorized_users:\n#- user: steeeeve\n# keys can be an array of strings or single string\n#keys:\n#- \"ssh public key string\"\n\n# EXPERIMENTAL: relay support for networks that can't establish direct connections.\nrelay:\n# Relays are a list of Nebula IP's that peers can use to relay packets to me.\n# IPs in this list must have am_relay set to true in their configs, otherwise\n# they will reject relay requests.\n#relays:\n#- 192.168.100.1\n#- <other Nebula VPN IPs of hosts used as relays to access me>\n# Set am_relay to true to permit other hosts to list my IP in their relays config. Default false.\nam_relay: false\n# Set use_relays to false to prevent this instance from attempting to establish connections through relays.\n# default true\nuse_relays: true\n\n# Configure the private interface. Note: addr is baked into the nebula certificate\ntun:\n# When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root)\ndisabled: false\n# Name of the device. If not set, a default will be chosen by the OS.\n# For macOS: if set, must be in the form `utun[0-9]+`.\n# For FreeBSD: Required to be set, must be in the form `tun[0-9]+`.\ndev: nebula1\n# Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert\ndrop_local_broadcast: false\n# Toggles forwarding of multicast packets\ndrop_multicast: false\n# Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500\ntx_queue: 500\n# Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic\nmtu: 1300\n\n# Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here\nroutes:\n#- mtu: 8800\n# route: 10.0.0.0/16\n\n# Unsafe routes allows you to route traffic over nebula to non-nebula nodes\n# Unsafe routes should be avoided unless you have hosts/services that cannot run nebula\n# NOTE: The nebula certificate of the \"via\" node *MUST* have the \"route\" defined as a subnet in its certificate\n# `mtu`: will default to tun mtu if this option is not specified\n# `metric`: will default to 0 if this option is not specified\n# `install`: will default to true, controls whether this route is installed in the systems routing table.\nunsafe_routes:\n#- route: 172.16.1.0/24\n# via: 192.168.100.99\n# mtu: 1300\n# metric: 100\n# install: true\n\n# TODO\n# Configure logging level\nlogging:\n# panic, fatal, error, warning, info, or debug. Default is info\nlevel: info\n# json or text formats currently available. Default is text\nformat: text\n# Disable timestamp logging. useful when output is redirected to logging system that already adds timestamps. Default is false\n#disable_timestamp: true\n# timestamp format is specified in Go time format, see:\n# https://golang.org/pkg/time/#pkg-constants\n# default when `format: json`: \"2006-01-02T15:04:05Z07:00\" (RFC3339)\n# default when `format: text`:\n# when TTY attached: seconds since beginning of execution\n# otherwise: \"2006-01-02T15:04:05Z07:00\" (RFC3339)\n# As an example, to log as RFC3339 with millisecond precision, set to:\n#timestamp_format: \"2006-01-02T15:04:05.000Z07:00\"\n\n#stats:\n#type: graphite\n#prefix: nebula\n#protocol: tcp\n#host: 127.0.0.1:9999\n#interval: 10s\n\n#type: prometheus\n#listen: 127.0.0.1:8080\n#path: /metrics\n#namespace: prometheusns\n#subsystem: nebula\n#interval: 10s\n\n# enables counter metrics for meta packets\n# e.g.: `messages.tx.handshake`\n# NOTE: `message.{tx,rx}.recv_error` is always emitted\n#message_metrics: false\n\n# enables detailed counter metrics for lighthouse packets\n# e.g.: `lighthouse.rx.HostQuery`\n#lighthouse_metrics: false\n\n# Handshake Manager Settings\n#handshakes:\n# Handshakes are sent to all known addresses at each interval with a linear backoff,\n# Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout\n# A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out\n#try_interval: 100ms\n#retries: 20\n# trigger_buffer is the size of the buffer channel for quickly sending handshakes\n# after receiving the response for lighthouse queries\n#trigger_buffer: 64\n\n\n# Nebula security group configuration\nfirewall:\n# Action to take when a packet is not allowed by the firewall rules.\n# Can be one of:\n# `drop` (default): silently drop the packet.\n# `reject`: send a reject reply.\n# - For TCP, this will be a RST \"Connection Reset\" packet.\n# - For other protocols, this will be an ICMP port unreachable packet.\noutbound_action: drop\ninbound_action: drop\n\nconntrack:\ntcp_timeout: 12m\nudp_timeout: 3m\ndefault_timeout: 10m\n\n# The firewall is default deny. There is no way to write a deny rule.\n# Rules are comprised of a protocol, port, and one or more of host, group, or CIDR\n# Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr)\n# - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available).\n# code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any`\n# proto: `any`, `tcp`, `udp`, or `icmp`\n# host: `any` or a literal hostname, ie `test-host`\n# group: `any` or a literal group name, ie `default-group`\n# groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass\n# cidr: a CIDR, `0.0.0.0/0` is any.\n# ca_name: An issuing CA name\n# ca_sha: An issuing CA shasum\n\noutbound:\n# Allow all outbound traffic from this node\n- port: any\nproto: any\nhost: any\ngroup: $GROUPNAME\n\ninbound:\n# Allow icmp between any nebula hosts\n- port: any\nproto: icmp\ngroup: $GROUPNAME\n\n- port: 443\nproto: tcp\ngroup: $GROUPNAME\n\n- port: 80\nproto: tcp\ngroup: $GROUPNAME\n\n- port: 22\nproto: tcp\ngroup: $GROUPNAME\n/etc/systemd/system/nebula.service
[Unit]\nDescription=nebula\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nCapabilityBoundingSet=CAP_NET_ADMIN\nAmbientCapabilities=CAP_NET_ADMIN\nExecStart=/snap/nebula/current/bin/nebula -config /etc/nebula/config.yaml\nRestart=always\nRestartSec=1\nUser=pi\nType=simple\n\n[Install]\nWantedBy=multi-user.target\nsudo systemctl enable nebula.servicesudo systemctl start nebula.servicesudo systemctl status nebula.servicejournalctl -xeu nebula.servicesystemd unit file
"},{"location":"infrastructure/networking/vpn/#certificate-renewal","title":"Certificate renewal","text":"nebula-cert sign -name $HOSTNAME -ip \"192.168.100.XX/24\" -groups \"$HOSTNAME,$GROUPNAME\"\nhostname.crt, hostname.key, ca.crt files to clientssudo -s\necho 10 > /sys/class/leds/kbd_backlight/brightness\nabout:config
: Key : : Value : : default : mousewheel.default.delta_multiplier_y 50 100 general.smoothScroll.msdPhysics.regularSpringConstant 100 -- general.smoothScroll.msdPhysics.motionBeginSpringConstant 125 -- general.smoothScroll.msdPhysics.enabled true false general.smoothScroll true false general.autoScroll true false apz.overscroll.enabled true false apz.gtk.kinetic_scroll.enabled false true"},{"location":"reference/fish/","title":"Rename shortcut","text":"Before
$ mv ~/file/path/long/old.md ~/file/path/long/new.md\nAfter
$ mv ~/file/path/long/{old,new}.md\nUse custom ssh key to push
$ GIT_SSH_COMMAND='ssh -i ~/.ssh/custom_key.rsa' git push\nsudo netstat -tulpn | grep :443\n\n# or \nsudo netstat --tcp --udp --listening --program --numeric\nsudo ss -tunl | grep -E \"(State|LISTEN)\"\nBuild and run this wiki
nix build .#container\ndocker load < result\ndocker run -p 80:80 wiki:latest caddy file-server -r /site\n\nOR\n\ndocker run -p 80:80 wiki:latest\nqemu-img create -f qcow2 example.img 80G\nqemu-system-x86_64 -cdrom ./result/iso/nixos-24.05.20240306.9df3e30-x86_64-linux.iso -drive file=example.img -net nic -net user,hostfwd=tcp::10022-:22 -daemonize -m 8G\nfish shell
eval (ssh-agent -c)\nssh-add ~/.ssh/id_ed25519\nssh $hostname\nssh-add -D # to clear keys\nHandy when needing to make edits to mikrotik router from wifi VLAN by proxying web from Mini over VPN
ssh -D 1337 -q -C -N user@hostname\nsockslocalhost Port 1337Proxy DNS when using SOCKS v5Browsing should now work from laptop but proxied over VPN so I can access router settings
Resources - https://superuser.com/questions/1308495/how-to-create-a-socks-proxy-with-ssh - https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/
"},{"location":"reference/ssh/#tunnel-remote-app-from-remote-host-locally","title":"tunnel remote app from remote host locally","text":"Use this to make edits on syncthing from headless server
ssh -L 8080:localhost:8384 user@hostname/etc/systemd/system/nebula.service
[Unit]\nDescription=nebula\nAfter=network.target\nStartLimitIntervalSec=0\n\n[Service]\nCapabilityBoundingSet=CAP_NET_ADMIN\nAmbientCapabilities=CAP_NET_ADMIN\nExecStart=/snap/nebula/current/bin/nebula -config /etc/nebula/config.yaml\nRestart=always\nRestartSec=1\nUser=pi\nType=simple\n\n[Install]\nWantedBy=multi-user.target\nsudo systemctl status servicesudo systemctl enable servicesudo systemctl disable servicesudo systemctl restart servicesudo systemctl start servicesudo systemctl stop servicejournalctl -xeu servicejournalctl --user -xeu service -f | tspinAdd new value to outputs. See wiki or tape-encoder for examples
hydraJobs.\"tester\" = self.defaultPackage;\n/var/lib/bitwarden_rs/*
For full documentation visit mkdocs.org.
"},{"location":"services/wiki/#commands","title":"Commands","text":"mkdocs new [dir-name] - Create a new project.mkdocs serve - Start the live-reloading docs server.mkdocs build - Build the documentation site.mkdocs -h - Print help message and exit.mkdocs.yml # The configuration file.\ndocs/\n index.md # The documentation homepage.\n ... # Other markdown pages, images and other files.\n